diff options
| author | Luke Plant <L.Plant.98@cantab.net> | 2016-01-21 15:54:13 +0000 |
|---|---|---|
| committer | Tim Graham <timograham@gmail.com> | 2016-01-21 14:00:06 -0500 |
| commit | b5c4972283452aea914400fbec50191f68886484 (patch) | |
| tree | 9fe6ecc9194627d51ac6f38a0ae1284574a3231f /docs | |
| parent | be3169d6ed7e509c7e3c269e0cc5ae479cee9f9d (diff) | |
[1.9.x] Changed `action="."` to `action=""` in tests and docs.
`action="."` strips query parameters from the URL which is not usually what
you want. Copy-paste coding of these examples could lead to difficult to
track down bugs or even data loss if the query parameter was meant to alter
the scope of a form's POST request.
Backport of 77974a684a2e874bccd8bd9e0939ddcb367a8ed2 from master
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/ref/csrf.txt | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/docs/ref/csrf.txt b/docs/ref/csrf.txt index 6410b9eef0..cb49d28d29 100644 --- a/docs/ref/csrf.txt +++ b/docs/ref/csrf.txt @@ -40,7 +40,7 @@ To take advantage of CSRF protection in your views, follow these steps: 2. In any template that uses a POST form, use the :ttag:`csrf_token` tag inside the ``<form>`` element if the form is for an internal URL, e.g.:: - <form action="." method="post">{% csrf_token %} + <form action="" method="post">{% csrf_token %} This should not be done for POST forms that target external URLs, since that would cause the CSRF token to be leaked, leading to a vulnerability. |
